Tag Archive | profiling

Suricata 3.0RC2 Available!

Photo by Eric Leblond

We’re happy to announce Suricata 3.0RC2. RC2 fixes a few issues in RC1 that require some more testing. The plan still is to release the stable within a few weeks, so please help us test this release!

Fixes:

  • Bug #1551: –enable-profiling-locks broken
  • Bug #1602: eve-log prefix field feature broken
  • Bug #1614: app_proto key missing from EVE file events
  • Bug #1615: disable modbus by default
  • Bug #1616: TCP reassembly bug
  • Bug #1617: DNS over TCP parsing issue
  • Bug #1618: SMTP parsing issue
  • Feature #1635: unified2 output: disable by default

Get the release here:

http://www.openinfosecfoundation.org/download/suricata-3.0RC2.tar.gz

Known issues & missing features

In a development release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.  See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0. This release is a major improvement over the previous releases with regard to performance, scalability and accuracy. Also, a number of great features have been added.

The biggest new features of this release are the addition of “Eve”, our all JSON output for events: alerts, HTTP, DNS, SSH, TLS and (extracted) files; much improved VLAN handling; a detectionless ‘NSM’ runmode; much improved CUDA performance.

The Eve log allows for easy 3rd party integration. It has been created with Logstash in mind specifically and we have a quick setup guide here: Logstash_Kibana_and_Suricata_JSON_output

kibana300 kibana300map

Download

Get the new release here: https://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz

Notable new features, improvements and changes

  • Eve log, all JSON event output for alerts, HTTP, DNS, SSH, TLS and files. Written by Tom Decanio of nPulse Technologies
  • NSM runmode, where detection engine is disabled. Development supported by nPulse Technologies
  • Various scalability improvements, clean ups and fixes by Ken Steel of Tilera
  • Add –set commandline option to override any YAML option, by Jason Ish of Emulex
  • Several fixes and improvements of AF_PACKET and PF_RING
  • ICMPv6 handling improvements by Jason Ish of Emulex
  • Alerting over PCIe bus (Tilera only), by Ken Steel of Tilera
  • Feature #792: DNS parser, logger and keyword support, funded by Emerging Threats
  • Feature #234: add option disable/enable individual app layer protocol inspection modules
  • Feature #417: ip fragmentation time out feature in yaml
  • Feature #1009: Yaml file inclusion support
  • Feature #478: XFF (X-Forwarded-For) support in Unified2
  • Feature #602: availability for http.log output – identical to apache log format
  • Feature #813: VLAN flow support
  • Feature #901: VLAN defrag support
  • Features #814, #953, #1102: QinQ VLAN handling
  • Feature #751: Add invalid packet counter
  • Feature #944: detect nic offloading
  • Feature #956: Implement IPv6 reject
  • Feature #775: libhtp 0.5.x support
  • Feature #470: Deflate support for HTTP response bodies
  • Feature #593: Lua flow vars and flow ints support
  • Feature #983: Provide rule support for specifying icmpv4 and icmpv6
  • Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
  • Feature #1032: profiling: per keyword stats
  • Feature #878: add storage api

Upgrading

The configuration file has evolved but backward compatibility is provided. We thus encourage you to update your suricata configuration file. Upgrade guidance is provided here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Upgrading_Suricata_14_to_Suricata_20

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Tom DeCanio, nPulse
  • Ken Steele, Tilera
  • Jason Ish, Endace / Emulex
  • Duarte Silva
  • Giuseppe Longo
  • Ignacio Sanchez
  • Florian Westphal
  • Nelson Escobar, Myricom
  • Christian Kreibich, Lastline
  • Phil Schroeder, Emerging Threats
  • Luca Deri & Alfredo Cardigliano, ntop
  • Will Metcalf, Emerging Threats
  • Ivan Ristic, Qualys
  • Chris Wakelin
  • Francis Trudeau, Emerging Threats
  • Rmkml
  • Laszlo Madarassy
  • Alessandro Guido
  • Amin Latifi
  • Darrell Enns
  • Paolo Dangeli
  • Victor Serbu
  • Jack Flemming
  • Mark Ashley
  • Marc-Andre Heroux
  • Alessandro Guido
  • Petr Chmelar
  • Coverity

Known issues & missing features

If you encounter issues, please let us know!  As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 2.0beta2 Available!

Photo by Eric Leblond

The OISF development team is proud to announce Suricata 2.0beta2.  This big update is the second beta release for the upcoming 2.0 version.

Some notable improvements are:

– This release overhauls the protocol detection feature. It now considers both sides of connection, and will raise events on mismatches.
– DNS parser and logger was much improved.
– Tilera support was greatly improved.
– Lots of performance and code quality improvements.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-2.0beta2.tar.gz

New features

  • Feature #234: add option disable/enable individual app layer protocol inspection modules
  • Feature #417: ip fragmentation time out feature in yaml
  • Feature #478: XFF (X-Forwarded-For) support in Unified2
  • Feature #602: availability for http.log output – identical to apache log format
  • Feature #751: Add invalid packet counter
  • Feature #813: VLAN flow support
  • Feature #901: VLAN defrag support
  • Feature #878: add storage api
  • Feature #944: detect nic offloading
  • Feature #956: Implement IPv6 reject
  • Feature #983: Provide rule support for specifying icmpv4 and icmpv6
  • Feature #1008: Optionally have http_uri buffer start with uri path for use in proxied environments
  • Feature #1009: Yaml file inclusion support
  • Feature #1032: profiling: per keyword stats

Improvements and Fixes

  • Bug #463: Suricata not fire on http reply detect if request are not http
  • Feature #986: set htp request and response size limits
  • Bug #895: response: rst packet bug
  • Feature #940: randomize http body chunks sizes
  • Feature #904: store tx id when generating an alert
  • Feature #752: Improve checksum detection algorithm
  • Feature #746: Decoding API modification
  • Optimization #1018: clean up counters api
  • Bug #907: icmp_seq and icmp_id keywords broken with icmpv6 traffic
  • Bug #967: threshold rule clobbers suppress rules
  • Bug #968: unified2 not logging tagged packets
  • Bug #995: tag keyword: tagging sessions per time is broken

Many more issues were fixed, please see: https://redmine.openinfosecfoundation.org/versions/51

Special thanks

We’d like to thank the following people and corporations for their contributions and feedback:

  • Ken Steele — Tilera
  • Jason Ish — Endace/Emulex
  • Duarte Silva
  • Giuseppe Longo
  • Ignacio Sanchez
  • Nelson Escobar — Myricom
  • Chris Wakelin
  • Emerging Threats
  • Coverity
  • Alessandro Guido
  • Amin Latifi
  • Darrell Enns
  • Ignacio Sanchez
  • Mark Ashley
  • Paolo Dangeli
  • rmkml
  • Will Metcalf

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know!

As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal. With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.

Suricata 1.4beta2 Available for testing!

Photo by Eric LeblondThe OISF development team is proud to announce Suricata 1.4beta2. This is the second beta release for the upcoming 1.4 version.

The main addition of this release is a usable lua scripting keyword for detection: luajit. This keyword allows you to run Lua scripts as part of the detection engine, allowing inspection beyond what the rule language offers. While not cheap, performance is not bad at all due to use of the luajit engine.

This release also brings major performance enhancements. We’re able to get virtually packet loss free with AF_PACKET on our ISP test box with 6gbps-9gpbs of sustained traffic on commodity hardware with 7k rules.

Get the new release here: suricata-1.4beta2.tar.gz

New features

  • New keyword: “luajit” to inspect packet, payload and all HTTP buffers with a Lua script (#346)
  • Added ability to control per server HTTP parser settings in much more detail (#503)

Improvements

  • Rewrite of IP Defrag engine to improve performance and fix locking logic (#512, #540)
  • Big performance improvement in inspecting decoder, stream and app layer events (#555)
  • Pool performance improvements (#541)
  • Improved performance of signatures with simple pattern setups (#577)
  • Bundled docs are installed upon make install (#527)
  • Support for a number of global vs rule thresholds was added (#425)
  • Improved rule profiling performance
  • If not explicit fast_pattern is set, pick HTTP patterns over stream patterns. HTTP method, stat code and stat msg are excluded.

Fixes

  • Fix compilation on architectures other than x86 and x86_64 (#572)
  • Fix FP with anchored pcre combined with relative matching (#529)
  • Fix engine hanging instead of exitting if the pcap device doesn’t exist (#533)
  • Work around for potential FP, will get properly fixed in next release (#574)
  • Improve ERF handling. Thanks to Jason Ish
  • Always set cluster_id in PF_RING
  • IPFW: fix broken broadcast handling
  • AF_PACKET kernel offset issue, IPS fix and cleanup
  • Fix stream engine sometimes resending the same data to app layer
  • Fix multiple issues in HTTP multipart parsing
  • Fixed a lockup at shutdown with NFQ (#537)

Credits

We’d like to thank the following people and corporations for their contributions and feedback:

  • Jason Ish – Endace
  • Chris Wakelin
  • Rmkml

Known issues & missing features

In a beta release like this things may not be as polished yet. So please handle with care. That said, if you encounter issues, please let us know! As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete or optimal.  With this in mind, please notice the list we have included of known items we are working on.

See issues for an up to date list and to report new issues. See Known_issues for a discussion and time line for the major issues.

About Suricata

Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community.